enable CONFIG_CPU_SW_DOMAIN_PAN for raspi2/raspi3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-raspi2 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Committed
|
Undecided
|
Unassigned | ||
Zesty |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
Kees Cook is requesting the following be enabled for our Raspi2/3 enabled kernel:
config CPU_SW_DOMAIN_PAN
bool "Enable use of CPU domains to implement privileged no-access"
depends on MMU && !ARM_LPAE
default y
help
Increase kernel security by ensuring that normal kernel accesses
are unable to access userspace addresses. This can help prevent
by ensuring that magic values (such as LIST_POISON) will always
fault when dereferenced.
CPUs with low-vector mappings use a best-efforts implementation.
Their lower 1MB needs to remain accessible for the vectors, but
the remainder of userspace will become appropriately inaccessible.
Similarly, Kees noted that all the configs from ubuntu's 4.8 new defaults seem to be missing for raspi2/3. e.g.:
CONFIG_
CONFIG_
CONFIG_DEBUG_LIST=y
CONFIG_
Kees also noted that it may ust be armhf/arm64 issue with the config.
I suspect what actually needs to happen is a full config review comparison for our linux-raspi2 kernel.
CVE References
description: | updated |
description: | updated |
Changed in linux-raspi2 (Ubuntu Xenial): | |
status: | New → Fix Committed |
tags: | added: verification-done-xenial |
Changed in linux-raspi2 (Ubuntu Yakkety): | |
status: | New → Fix Committed |
Changed in linux-raspi2 (Ubuntu Zesty): | |
status: | New → Fix Committed |
Xenial doesn't have CONFIG_ HARDENED_ USERCOPY and CONFIG_ SLAB_FREELIST_ RANDOM, while CONFIG_DEBUG_LIST and CONFIG_ DEBUG_CREDENTIA LS are off in -generic (so i'm not taking these into consideration) - the only eligible options there is CPU_SW_DOMAIN_PAN.
In Yakkety, CONFIG_ DEBUG_CREDENTIA LS and CONFIG_DEBUG_LIST are off in -generic (except for DEBUG_LIST being =y for s390x) so i'm not taking these in consideration, HARDENED_USERCOPY was already =y, while the rest should be synced with -generic.
In Zeisty CONFIG_ DEBUG_CREDENTIA LS and CONFIG_DEBUG_LIST are off in -generic, so i'm not taking these in consideration, while the rest should be synced.